Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 7, 2023, 5:56 p.m.	April 7, 2023, 5:58 p.m.

Size	182.7KB
Type	Zip archive data, at least v2.0 to extract
MD5	`fe4b915fc460a3efc2475946a62bc86a`
SHA256	`1eda89d07a5830056d977c89e199e2d1d0e1453d3419de5f9899fc3b1dc0575d`
CRC32	`A9CA75F4`
ssdeep	`3072:GfWILr3jy2KfQbqKORrQbAkZL6NxERbRXVWxQMEcNP62ZPFyvhYb86j1uaMpay14:ghHOStANx8RlWaMACPQhYwe/MIylI`
Yara	zip_file_format - ZIP file format

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\auz.jar
3044
- tasklist.exe tasklist
  1188
- cmd.exe cmd /c schtasks /create /tn "JavaConnect" /tr "\"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe\" -jar \"C:\Users\test22\AppData\Roaming\8a1b9c\8a1b9c78e4be50d055da00f16152f218.log\"" /sc minute /mo 60
  2412
  - schtasks.exe schtasks /create /tn "JavaConnect" /tr "\"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe\" -jar \"C:\Users\test22\AppData\Roaming\8a1b9c\8a1b9c78e4be50d055da00f16152f218.log\"" /sc minute /mo 60
    1192
- reg.exe reg query "HKU\S-1-5-19"
  504
- reg.exe reg query "HKU\S-1-5-19"
  2120

Name	Response	Post-Analysis Lookup
checkmybones.dns.army	A 185.91.69.172	185.91.69.172
carrozzeriabalestra.it	A 46.16.95.61	46.16.95.61
www.geoplugin.net	CNAME geoplugin.net A 178.237.33.50	178.237.33.50

IP Address	Status	Action
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch
185.91.69.172	Active	Moloch
46.16.95.61	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:56630 -> 164.124.101.2:53	2042831	ET INFO DYNAMIC_DNS Query to a *.dns .army Domain	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 178.237.33.50:80	2019401	ET POLICY Vulnerable Java Version 1.8.x Detected	Potentially Bad Traffic
TCP 192.168.56.102:49166 -> 178.237.33.50:80	2019401	ET POLICY Vulnerable Java Version 1.8.x Detected	Potentially Bad Traffic

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49169 46.16.95.61:443	C=US, O=Let's Encrypt, CN=R3	CN=*.carrozzeriabalestra.it	38:14:89:8b:c8:63:66:5c:06:66:99:87:1c:93:f8:e7:46:89:6a:0e
TLS 1.2 192.168.56.102:49170 46.16.95.61:443	C=US, O=Let's Encrypt, CN=R3	CN=*.carrozzeriabalestra.it	38:14:89:8b:c8:63:66:5c:06:66:99:87:1c:93:f8:e7:46:89:6a:0e
TLS 1.2 192.168.56.102:49165 46.16.95.61:443	C=US, O=Let's Encrypt, CN=R3	CN=*.carrozzeriabalestra.it	38:14:89:8b:c8:63:66:5c:06:66:99:87:1c:93:f8:e7:46:89:6a:0e

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 7, 2023, 5:56 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW April 7, 2023, 5:56 p.m.	computer_name: TEST22-PC	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 7, 2023, 5:56 p.m.		1	1	0

One or more processes crashed (3 events)

Time & API	Arguments	Status
__exception__ April 7, 2023, 5:56 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27f0202 registers.esp: 38927028 registers.edi: 1 registers.eax: 6 registers.ebp: 1948636352 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ April 7, 2023, 5:56 p.m.	stacktrace: _JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x73ed7273 _JVM_SetVmMemoryPressure@4-0x1285c jvm+0x72e4 @ 0x73ed72e4 JVM_GetThreadStateNames+0x4f379 _JVM_EnqueueOperation@20-0x5f937 jvm+0x15cf29 @ 0x7402cf29 JVM_GetThreadStateNames+0x74947 _JVM_EnqueueOperation@20-0x3a369 jvm+0x1824f7 @ 0x740524f7 JVM_GetThreadStateNames+0x40a57 _JVM_EnqueueOperation@20-0x6e259 jvm+0x14e607 @ 0x7401e607 JVM_GetThreadStateNames+0x69f08 _JVM_EnqueueOperation@20-0x44da8 jvm+0x177ab8 @ 0x74047ab8 _JVM_GetManagementExt@4+0x62088 AsyncGetCallTrace-0x583d8 jvm+0x7d588 @ 0x73f4d588 0x280452b 0x27f47b4 0x27f47b4 0x27f4889 0x27f0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7402af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x740f13ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7402afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7402b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7402b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x73fcf36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7404dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7404e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x74092ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x742fc556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x742fc600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 25 exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205 exception.address: 0x73ed7205 registers.esp: 381480696 registers.edi: 373300224 registers.eax: 896 registers.ebp: 381480696 registers.edx: 1948038612 registers.ebx: 14917600 registers.esi: 373300224 registers.ecx: 3801088	1
__exception__ April 7, 2023, 5:56 p.m.	stacktrace: _JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x73ed7273 _JVM_SetVmMemoryPressure@4-0x127dc jvm+0x7364 @ 0x73ed7364 JNI_GetCreatedJavaVMs+0x10c8d JNI_CreateJavaVM-0x793 jvm+0xe68fd @ 0x73fb68fd _Java_sun_nio_ch_WindowsSelectorImpl_00024SubSelector_poll0@40+0x277 _Java_sun_nio_ch_WindowsSelectorImpl_setWakeupSocket0@12-0x54 nio+0x5911 @ 0x73d35911 exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 25 exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205 exception.address: 0x73ed7205 registers.esp: 381456492 registers.edi: 373300224 registers.eax: 896 registers.ebp: 381456492 registers.edx: 2130242548 registers.ebx: 0 registers.esi: 373300224 registers.ecx: 3801088	1

Time & API

Arguments

Status

Return

Repeated

__exception__

April 7, 2023, 5:56 p.m.

stacktrace:

exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e
exception.instruction: mov eax, dword ptr [esi]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x27f0202
registers.esp: 38927028
registers.edi: 1
registers.eax: 6
registers.ebp: 1948636352
registers.edx: 0
registers.ebx: 16910336
registers.esi: 0
registers.ecx: 3405691582

__exception__

April 7, 2023, 5:56 p.m.

stacktrace:

_JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x73ed7273
_JVM_SetVmMemoryPressure@4-0x1285c jvm+0x72e4 @ 0x73ed72e4
JVM_GetThreadStateNames+0x4f379 _JVM_EnqueueOperation@20-0x5f937 jvm+0x15cf29 @ 0x7402cf29
JVM_GetThreadStateNames+0x74947 _JVM_EnqueueOperation@20-0x3a369 jvm+0x1824f7 @ 0x740524f7
JVM_GetThreadStateNames+0x40a57 _JVM_EnqueueOperation@20-0x6e259 jvm+0x14e607 @ 0x7401e607
JVM_GetThreadStateNames+0x69f08 _JVM_EnqueueOperation@20-0x44da8 jvm+0x177ab8 @ 0x74047ab8
_JVM_GetManagementExt@4+0x62088 AsyncGetCallTrace-0x583d8 jvm+0x7d588 @ 0x73f4d588
0x280452b
0x27f47b4
0x27f47b4
0x27f4889
0x27f0697
JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7402af45
_JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x740f13ae
JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7402afde
JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7402b166
JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7402b1d7
jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x73fcf36f
JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7404dc30
JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7404e4aa
_JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x74092ec6
_endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x742fc556
_endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x742fc600
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 25
exception.instruction: mov dword ptr [eax + ecx], 1
exception.exception_code: 0xc0000005
exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205
exception.address: 0x73ed7205
registers.esp: 381480696
registers.edi: 373300224
registers.eax: 896
registers.ebp: 381480696
registers.edx: 1948038612
registers.ebx: 14917600
registers.esi: 373300224
registers.ecx: 3801088

__exception__

April 7, 2023, 5:56 p.m.

stacktrace:

_JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x73ed7273
_JVM_SetVmMemoryPressure@4-0x127dc jvm+0x7364 @ 0x73ed7364
JNI_GetCreatedJavaVMs+0x10c8d JNI_CreateJavaVM-0x793 jvm+0xe68fd @ 0x73fb68fd
_Java_sun_nio_ch_WindowsSelectorImpl_00024SubSelector_poll0@40+0x277 _Java_sun_nio_ch_WindowsSelectorImpl_setWakeupSocket0@12-0x54 nio+0x5911 @ 0x73d35911

exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 25
exception.instruction: mov dword ptr [eax + ecx], 1
exception.exception_code: 0xc0000005
exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205
exception.address: 0x73ed7205
registers.esp: 381456492
registers.edi: 373300224
registers.eax: 896
registers.ebp: 381456492
registers.edx: 2130242548
registers.ebx: 0
registers.esi: 373300224
registers.ecx: 3801088

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind April 7, 2023, 5:56 p.m.	ip_address: socket: 632 port: 0	1	0
listen April 7, 2023, 5:56 p.m.	socket: 632 backlog: 50	1	0
accept April 7, 2023, 5:56 p.m.	ip_address: socket: 632 port: 0	1	612

Performs some HTTP requests (1 event)

request

GET http://www.geoplugin.net/json.gp?ip=175.208.134.152

Allocates read-write-execute memory (usually to unpack itself) (34 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02818000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02828000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02838000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02840000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02848000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02850000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02858000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02860000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02868000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02878000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02880000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02888000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02898000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02908000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02918000 process_handle: 0xffffffff	1

Creates a suspicious process (2 events)

cmdline	cmd /c schtasks /create /tn "JavaConnect" /tr "\"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe\" -jar \"C:\Users\test22\AppData\Roaming\8a1b9c\8a1b9c78e4be50d055da00f16152f218.log\"" /sc minute /mo 60
cmdline	schtasks /create /tn "JavaConnect" /tr "\"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe\" -jar \"C:\Users\test22\AppData\Roaming\8a1b9c\8a1b9c78e4be50d055da00f16152f218.log\"" /sc minute /mo 60

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 7, 2023, 5:56 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 7, 2023, 5:56 p.m.	flags: 28 family: 0	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 7, 2023, 5:56 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	tasklist
cmdline	reg query "HKU\S-1-5-19"
cmdline	cmd /c schtasks /create /tn "JavaConnect" /tr "\"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe\" -jar \"C:\Users\test22\AppData\Roaming\8a1b9c\8a1b9c78e4be50d055da00f16152f218.log\"" /sc minute /mo 60
cmdline	schtasks /create /tn "JavaConnect" /tr "\"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe\" -jar \"C:\Users\test22\AppData\Roaming\8a1b9c\8a1b9c78e4be50d055da00f16152f218.log\"" /sc minute /mo 60

Installs itself for autorun at Windows startup (2 events)

cmdline	cmd /c schtasks /create /tn "JavaConnect" /tr "\"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe\" -jar \"C:\Users\test22\AppData\Roaming\8a1b9c\8a1b9c78e4be50d055da00f16152f218.log\"" /sc minute /mo 60
cmdline	schtasks /create /tn "JavaConnect" /tr "\"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe\" -jar \"C:\Users\test22\AppData\Roaming\8a1b9c\8a1b9c78e4be50d055da00f16152f218.log\"" /sc minute /mo 60

auz.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All